Login
Speaking to many CISOs, it’s clear that many security executives view zero trust as a journey that can be difficult to start, and one that even makes identifying successful outcomes a challenge. Simultaneously, the topic of security resilience has risen up the C-level agenda and is now another focus for security teams. So, are these complementary? Or will they present conflicting demands that will disrupt rather than assist the CISO in their role?
One of the most striking results coming from Cisco’s latest Security Outcomes Report is that organizations with a mature zero trust implementation – those with basic controls, constant validation and automated workflows – experience a 30% improvement in security resilience compared to those who have not started their zero trust journey. So, these two initiatives – implementing zero trust and working to achieve security resilience – appear to complement each other while supporting the CISO when a cyber black swan swims in.
Security resilience is the ability to withstand an incident and recover more strongly. In other words, ride out the storm and come back better. Meanwhile, zero trust is best known as a “never trust, always verify” principle. The idea is to check before you provide access, and authenticate identity based on a risk profile of assets and users. This starts to explain why the two are complementary.
The Security Outcomes Report summarizes the results of a survey of more than 4,700 security professionals. Among the insights that emerge are nine security resilience outcomes they consider most important. The top three outcomes for resilience are prevention, mitigation and adaptation. In other words, they prioritize first the ability to avoid an incident by having the right controls in place, then the ability to reduce and reverse the overall impact when an incident occurs, and then the ability to pivot rapidly without being bound by too rigid a set of systems. Zero trust will support these outcomes.
Preventing, or reducing the likelihood of a cybersecurity incident, is an obvious first step and no surprise as the most important outcome. Pursuing programs that identify users and monitor the health of devices is a crucial a preventative step. In fact, simply ensuring that multifactor authentication (MFA) is ubiquitous across the organization can bring an 11% improvement in security resilience.
When incidents occur, security teams will need a clear picture of the incident they are having to manage. This will help in them respond quickly, with a proactive determination of recovery requirements. Previous studies show that once a team achieves 80% coverage of critical systems, the ability to maintain continuity increases measurably. This knowledge will also help teams develop more focused incident response processes. A mature zero trust environment has also been found to almost double a team’s ability to streamline these processes when compared to a limited zero trust implementation.
When talking to CISOs about successful implementation programs, communication within the business emerges as a recurring theme. Security teams must inform and guide users through the phases of zero trust implementation, while emphasizing the benefits to them. When users are aware of their responsibility to keep the organization secure, they take a participatory role in an important aspect of the business. So, when an incident occurs, they can support the company’s response. This increases resilience. Research has shown that a mature program will more than double the effect of efforts to improve the security culture. Additionally, the same communication channels established to spread the word of zero trust now can be called upon when an incident requires immediate action.
Mature implementations have also been seen to help increase cost effectiveness and reduce unplanned work. This releases more resource to cope with the unexpected – another important driver of resilience surfaced in Volume 3 of the Security Outcomes Report. Having more efficient resources enables the security function to reallocate teams when needed. Reviewing and updating resource processes and procedures, along with all other important processes, is a vital part of any of any change initiative. Mature zero trust environments reflect this commitment continuous assessment and improvement.
Inherent in organizational resilience is the ability to adapt and innovate. The corporate landscape is littered with examples of those who failed to do those two things. A zero trust environment enables organizations to lower their risk of incidents while adapting their security posture to fit the ongoing changes of the business. Think of developing new partners, supporting new products remotely, securing a changing supply chain. The basic tenets of MFA – including continuous validation, segmentation and automation – sets a foundation that accommodates those changes without compromising security. The view that security makes change difficult is becoming obsolete. With zero trust and other keys to achieving security resilience, security now is a partner in business change. And for those CISOs who fear even starting this journey, understanding the benefits should help them take that first step.
Download the Security Outcomes Report, Vol. 3: Achieving Security Resilience today.
Learn more about cybersecurity research and security resilience:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Two years ago, we asked the question: What actually works in cybersecurity?
Not what everyone’s doing—because there are plenty of cybersecurity reports out there that answer that question—but which data-backed practices lead to the outcomes we want to implement in cybersecurity strategies?
The result was the first Security Outcomes Report, in which we analyzed 25 cybersecurity practices against 11 desired outcomes. And thanks to a large international respondent group, together with the mighty data science powers of the Cyentia Institute, we got some good data that raised as many questions as it answered. Sure, we found some strong correlations between practices and outcomes, but why did they correlate?
Last year, our second report focused in on the top five most highly correlated practices and tried to reveal more detail that would give us some guidance on implementation. We found that certain types of technology infrastructure correlated more with those successful practices, and therefore with the outcomes we’re seeking. Is architecture really destiny when it comes to good security outcomes? It does appear to be the case, but we had more research ahead of us to be more confident in a statement that sweeping.
All the while, we’ve been listening to readers considering what they’d like to glean from this research. One big question was, “How do we turn these practices into management objectives?” In other words, now that we have some data on practices we should be implementing, how do we set measurable goals to do so? I’ve led workshops in the UK and in Colombia to help CISOs set their own objectives based on their risk management priorities, and we’ve worked to identify longer-term targets that require close alignment with business leaders.
Another question that took a front-row seat in our presentations and just wouldn’t leave: the topic of cyber resilience, or security resilience. It’s almost reached the status of a buzzword in the security industry, but you can understand why it’s ubiquitous.
“Among the upheaval of the pandemic, political unrest, economic and climate turbulence, and war, everyone is struggling to find a new ‘business as usual’ state that includes being able to adapt better to the shaky ground beneath them.”
But what exactly is security resilience, anyway? What does it mean to security practitioners and executives around the world? And what are the associated cybersecurity outcomes that we can identify and correlate? We know it doesn’t simply mean preventing bad things from happening; that ship has sailed (and sunk). We also know that security resilience doesn’t always mean full recovery from an event or condition that has knocked you down. Rather, it means continuing to operate during an adverse situation, either at full or partial capacity, and mitigating the effects on stakeholders. Ideally speaking, security resilience also means learning from the experience and emerging stronger.
Security resilience is the focus of the third volume of our Security Outcomes Report: Achieving Security Resilience. It tells us how 4,700 practitioners across 26 countries are prioritizing security resilience: what it means to them, what they’re doing successfully to achieve it, and what they’re struggling with. Once again, the data gives us interesting ideas to ponder.
A stronger security culture boosts resilience by as much as 46%. By “culture,” we don’t mean annual compliance-driven awareness training. Cybersecurity awareness is what you know; security culture is what you do. When organizations score better at being able to explain just what it is that they need to do in security and why, they make better decisions in line with their security values, and that leads to better overall security resilience.
It doesn’t matter how many people you have; it matters whether you have any of them available in reserve to respond to events. Organizations with a flexible pool of talent internally (or on standby externally) show anywhere from 11% to 15% improvement in resilience. Which makes sense, as a fully leveraged team will be strained if they have to work even harder to take on an incident.
Because so many organizations around the world are looking to the NIST Cybersecurity Framework as a guidepost for cybersecurity practices, we also analyzed which NIST CSF capabilities correlated most strongly with our list of resilience outcomes. For example, our survey respondents that do a great job tracking key systems and data are almost 11% more likely to excel at containing the spread and scope of security incidents. From one angle, this seems like an obvious result, hardly worth mentioning. On the other hand, it’s worth presenting to your management some data that shows that investing in asset inventory solutions really does have long-range effects on your ability to stop an intrusion.
And there’s much more. The report identifies—and then explores—seven success factors that, if achieved, boost our measure of overall security resilience from the bottom 10th percentile to the top 10th percentile. These include establishing a security culture and properly resourcing response teams, among others.
I hope this introductory blog—the first in a series exploring this latest report—whets your appetite to read the report itself. And remember, we are always aiming to reveal the next undiscovered insight that leads to better security outcomes. Please share your feedback and research requests with us in the comments below, or talk to us at the next security conference.
For more insights like what you’ve seen in today’s blog take a look at the Security Outcomes Report, Volume 3: Achieving Security Resilience.
Explore more data-backed cybersecurity research and other blogs on security resilience:
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS 